~~NOCACHE~~ ## InstanceMetaDataV1V2 EC2インスタンスメタデータサービスの拡張により脆弱性に対する防御が強化された。 ### V2で何が変わったのか AWS公式：https://aws.amazon.com/jp/blogs/news/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service/ 参考：[[https://speakerdeck.com/hasegawayosuke/ssrfji-chu|SSRF基礎]] ### 確認方法 aws ec2 describe-instancesで確認可能 #### コマンド例 aws ec2 describe-instances --query 'Reservations[].Instances[].[InstanceId, MetadataOptions]' ### メタデータ取得・Windows：https://docs.aws.amazon.com/ja_jp/AWSEC2/latest/WindowsGuide/instancedata-data-retrieval.html ・Linux：https://docs.aws.amazon.com/ja_jp/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html #### V1V2の挙動挙動でも確認できます。 v2の場合は、Tokenを発行しないで%%「http://169.254.169.254」%%にアクセスすると、下記の通り401エラーが返ります。 v1の場合は、Tokenを発行しないでも%%「http://169.254.169.254」%%から結果が取得可能です。 ### V2(required)の場合 [root@]# curl http://169.254.169.254/latest/ 401 - Unauthorized

401 - Unauthorized

[root@]# TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"` && curl -H "X-aws-ec2-metadata-token: $TOKEN"//169.254.169.254/latest/ % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 56 100 56 0 0 16331 0 --:--:-- --:--:-- --:--:-- 18666 * Trying 169.254.169.254:80... * Connected to 169.254.169.254 (169.254.169.254) port 80 (#0) > GET /latest/ HTTP/1.1 > Host: 169.254.169.254 > User-Agent: curl/7.87.0 > Accept: */* > X-aws-ec2-metadata-token: AQAAYDJARJ0skbx71xcE9AJyMZ2pQ=0WEqzsMZwb9ZoGPpYXZr8UdRe= > * Mark bundle as not supporting multiuse * HTTP 1.0, assume close after body < HTTP/1.0 200 OK < Accept-Ranges: bytes < Content-Length: 27 < Content-Type: text/plain < Date: Tue, 07 Mar 2023 12:59:30 GMT < Last-Modified: Tue, 07 Mar 2023 12:30:20 GMT < X-Aws-Ec2-Metadata-Token-Ttl-Seconds: 21600 < Connection: close < Server: EC2ws < dynamic meta-data * Closing connection 0 ### V1(Optional)の場合 [root@]# curl http://169.254.169.254/latest/ dynamic meta-data [root@]# TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"` && curl -H "X-aws-ec2-metadata-token: $TOKEN" -v/169.254.169.254/latest/ % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 56 100 56 0 0 11620 0 --:--:-- --:--:-- --:--:-- 14000 * Trying 169.254.169.254:80... * Connected to 169.254.169.254 (169.254.169.254) port 80 (#0) > GET /latest/ HTTP/1.1 > Host: 169.254.169.254 > User-Agent: curl/7.87.0 > Accept: */* > X-aws-ec2-metadata-token: AQAAYDJARJ0skbx71xcE9AJyMZ2pQ=0WEqzsMZwb9ZoGPpYXZr8UdRe= > * Mark bundle as not supporting multiuse * HTTP 1.0, assume close after body < HTTP/1.0 200 OK < Accept-Ranges: bytes < Content-Length: 27 < Content-Type: text/plain < Date: Tue, 07 Mar 2023 12:57:08 GMT < Last-Modified: Tue, 07 Mar 2023 11:06:31 GMT < X-Aws-Ec2-Metadata-Token-Ttl-Seconds: 21600 < Connection: close < Server: EC2ws < dynamic meta-data * Closing connection 0 {{tag>AWS EC2}}